Add "local network access" permission for macOS 15 runners

Hi,

We have an issue (https://github.com/actions/runner-images/issues/10924) raised by a user requesting to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners. Apple introduced a new LNP policy with macOS Sequoia that is not controlled by TCC or MDM. Could you please guide us on how to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners?

Thanks.

Could you please guide us on how to add 'local network access' permission for macOS 15 and macOS 15-arm64 image runners?

First up, make sure you’ve read TN3179 Understanding local network privacy. As noted in that technote, this setting is:

  • Per user

  • Not settable via a configuration profile or MDM

  • Not resettable via tccutil

That makes things challenging in your situation )-:

Normally CI systems don’t need local network access because the code they’re building has no reason to be accessing stuff on the local network. However, reading the issue you linked to I see that you’re trying to enable your customers to test Mac software that uses the local network. Is that right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi, User is Attempting to test multicast sockets results in routing errors, which suggests that the code is running without "local network access" permissions.

User says that Ideally this would be configurable, so that code could be tested to ensure that it doesn't need this permission, but when it is necessary for a certain function it would be nice to have.

User says that Ideally this would be configurable

Right, that makes sense.

Unfortunately I don’t have any good answers for you here. If the code being tested is a GUI app, you have to run it in a user context, and that context is subject to local network privacy. And, as you’ve noted, there’s no way to enable that via, say, a configuration profile.

One potential option is to learn into virtualisation. So, let your customer set up a virtual machine and grant the Local Network privilege to their app there, then save that VM and restore it each time you want to test their code. That’ll likely work, but I suspect that it won’t fit well into your product’s current structure.

Beyond that, my advice is that you file an enhancement request for the feature you’d like to see, being very clear about the specific high-level use case you’re trying to handle.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am the user in question, so I guess I might as well chime in directly.

let your customer set up a virtual machine and grant the Local Network privilege to their app there

In this specific case, it's not a GUI application, it's a Python library, which has some multicast logic in it. Are you suggesting that the only option now is to block every test run on a user manually VNCing into a cloud CI backend to manually click on some GUI preferences? As you might imagine, this is not feasible either for an open source library that needs to accept volunteer contributions or a hosted CI service with ephemeral test runners.

(The practical upshot of this is that we will need to treat macOS as a platform which can no longer support multicast sockets, which would be a bit of a bummer.)

Bug number: FB16213134

Add "local network access" permission for macOS 15 runners
 
 
Q